FMA report on cyber-resilience in financial services

The Financial Markets Authority (FMA) has released a report on their review of cyber-resilience in New Zealand financial services. A copy of the report can be found here.

Who needs to read it? Why?

The FMA is concerned about the exposure of financial services firms to cyber-risk. Cyber-risk includes the risk of loss, disruption or damage to a firm caused by failure in its information technology systems – from both internal and external threats. Cyber-crime attacks are on the increase.

This report aids understanding of the nature and frequency of these risks, and the steps being taken by some financial services firms to address them.

This report will be of particular interest to entities regulated by the FMA, as it provides detail on their expectations and what they consider best practice in the area. It will also be useful to other participants in financial markets and businesses generally as it discusses the nature and prevalence of cyber-risk within them.

What does it cover?

This report follows a thematic review by the FMA of cyber-resilience in New Zealand financial services. That review gathered information on participants’:

perceptions of cyber-risk;

reported attacks; and

existing levels of preparation and cyber-resilience.

Key recommendations made in the report include that:

market participants should include an assessment of cyber-risk within their wider risk assessment and management programme;

market participants should use a recognised cyber-security framework to assist their planning, prioritising and managing of cyber-resilience;

market participants should have an appropriate balance between protection and detection measures, rather than relying overly on protection measures;

all firms should make use of available resources that monitor incidents, provide advice and alerts, and generally assist in protecting systems from cyber-threats (such as CERT NZ and the National Cyber Security Centre); and

all firms must include in their governance arrangements ownership and visibility of their cyber-resilience framework.

Our view

Adequately addressing cyber-risk is an important part of maintaining customer confidence and stability in the financial markets.

Interestingly, Standard 5 of the Code of Professional Conduct for Financial Advice Services, when it comes into force, will require licensed financial advice providers to take reasonable steps to protect client information against loss and unauthorised access, use, modification, or disclosure. This will effectively require addressing cyber-security.

What next?

If you have any questions in relation to cyber-resilience and financial regulation, or are considering how this report may affect your business, please contact one of our experts.